From a71e7c85a9f2313cde20d4479cd727a5f5518ed2 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 29 Jan 2018 21:38:43 +0100
Subject: Bug 698908: Plug PDF object leaks when decimating pages in pdfposter.

The bug reports a buffer overflow, but after that was fixed this leak
was reported by ASAN.
---
 source/tools/pdfposter.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

(limited to 'source/tools')

diff --git a/source/tools/pdfposter.c b/source/tools/pdfposter.c
index 753a4da3..304e6bbb 100644
--- a/source/tools/pdfposter.c
+++ b/source/tools/pdfposter.c
@@ -47,10 +47,10 @@ intersect_box(fz_context *ctx, pdf_document *doc, pdf_obj *page, pdf_obj *box_na
 		old_rect.y1 = mb->y1;
 
 	newbox = pdf_new_array(ctx, doc, 4);
-	pdf_array_push(ctx, newbox, pdf_new_real(ctx, doc, old_rect.x0));
-	pdf_array_push(ctx, newbox, pdf_new_real(ctx, doc, old_rect.y0));
-	pdf_array_push(ctx, newbox, pdf_new_real(ctx, doc, old_rect.x1));
-	pdf_array_push(ctx, newbox, pdf_new_real(ctx, doc, old_rect.y1));
+	pdf_array_push_drop(ctx, newbox, pdf_new_real(ctx, doc, old_rect.x0));
+	pdf_array_push_drop(ctx, newbox, pdf_new_real(ctx, doc, old_rect.y0));
+	pdf_array_push_drop(ctx, newbox, pdf_new_real(ctx, doc, old_rect.x1));
+	pdf_array_push_drop(ctx, newbox, pdf_new_real(ctx, doc, old_rect.y1));
 	pdf_dict_put_drop(ctx, page, box_name, newbox);
 }
 
@@ -89,6 +89,7 @@ static void decimatepages(fz_context *ctx, pdf_document *doc)
 		int x, y;
 
 		pdf_page_transform(ctx, page_details, &mediabox, &page_ctm);
+		fz_drop_page(ctx, (fz_page *) page_details);
 
 		w = mediabox.x1 - mediabox.x0;
 		h = mediabox.y1 - mediabox.y0;
@@ -130,10 +131,10 @@ static void decimatepages(fz_context *ctx, pdf_document *doc)
 				else
 					mb.y1 = mediabox.y0 + (h/yf)*(y+1);
 
-				pdf_array_push(ctx, newmediabox, pdf_new_real(ctx, doc, mb.x0));
-				pdf_array_push(ctx, newmediabox, pdf_new_real(ctx, doc, mb.y0));
-				pdf_array_push(ctx, newmediabox, pdf_new_real(ctx, doc, mb.x1));
-				pdf_array_push(ctx, newmediabox, pdf_new_real(ctx, doc, mb.y1));
+				pdf_array_push_drop(ctx, newmediabox, pdf_new_real(ctx, doc, mb.x0));
+				pdf_array_push_drop(ctx, newmediabox, pdf_new_real(ctx, doc, mb.y0));
+				pdf_array_push_drop(ctx, newmediabox, pdf_new_real(ctx, doc, mb.x1));
+				pdf_array_push_drop(ctx, newmediabox, pdf_new_real(ctx, doc, mb.y1));
 
 				pdf_dict_put(ctx, newpageobj, PDF_NAME_Parent, pages);
 				pdf_dict_put_drop(ctx, newpageobj, PDF_NAME_MediaBox, newmediabox);
@@ -144,7 +145,8 @@ static void decimatepages(fz_context *ctx, pdf_document *doc)
 				intersect_box(ctx, doc, newpageobj, PDF_NAME_ArtBox, &mb);
 
 				/* Store page object in new kids array */
-				pdf_array_push(ctx, kids, newpageref);
+				pdf_drop_obj(ctx, newpageobj);
+				pdf_array_push_drop(ctx, kids, newpageref);
 
 				kidcount++;
 			}
-- 
cgit v1.2.3